Until recently, no two-factor authentication was possible with Kerberos. However, the standardization of RFC 6560 combined with recent work in the MIT krb5 code makes it possible to now offer support for two-factor authentication in Kerberos.

Fedora 18 already supports most of the client side of this proposal. FreeIPA will be landing support for the server side in Fedora 19.